On 05/04/18 10:50, 周詮儒 wrote: > Since a secret key needs a passphrase to > use.
Let me clarify because it is not obvious: this is not the case. It is perfectly valid to have a secret key without a passphrase. The drawback is anyone with file access to the on-disk copy of the secret key has full possession of it. > Further more, a secret key on a remote machine isn't under enough > protection. That may have some security issue. Try to work this thought out in detail for yourself: it depends on your threat model. Try to think of ways an attacker can access the file with the secret key. Think what that attacker could do with that level of access, even if the secret key were not available to them. Could they perhaps still fully compromise the process? If so, does it still matter that they can also access the private key? It might be wise to exclude the file containing the private key from backups, though. That avoids a whole different class of access to cold storage. I don't backup my SSH on-disk private keys. Should one of my systems crash and need to be restored from backup, I would generate new SSH keys and distribute them. Perhaps in your case it would also be better to just bite the bullet and generate new keys whenever the system is unrecoverable. > * To encrypt the file by a secret key: > > This can meet my needs. I don't think this makes sense. A public key is inherently designed to be disseminated to anybody. The system is designed like that, it expects public data to be non-secret. Encrypting to the public key, if it were possible, means you intend for anybody to be able to decrypt it. That's not encryption. If you want to be sure that something originated from a person holding a private key, sign it with that private key. That proves that the data was not modified from what they intended to sign. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupgemail@example.com http://lists.gnupg.org/mailman/listinfo/gnupg-users